-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package : lemonldap-ng Version : 1.9.7-3+deb9u1 CVE ID : CVE-2019-12046 Debian Bug : 928944
An attack vector was discovered by the lemonldap-ng developers. When the SAML or CAS service provider is enabled and the administrator has chosen to store the SAML/CAS tokens in the session database, an attacker can open an anonymous session to connect to any protected application that does not have specific access rules. For Debian 8 "Jessie", this problem has been fixed in version 1.9.7-3+deb9u1. We recommend that you upgrade your lemonldap-ng packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAlzgWMoACgkQ9tdMp8mZ 7ulbHw//cn6jbBcJn442RxLpbpiBx6cs+pisV+4Oo3rj3TrmuJn4m9oHqDIQb0PX lyXKILHguM9Gj+1/iIBLY8gQzawkcJ79dJdnnMoyW+Tu/sUOqToH1YfRuCCyqGDT bx2HhOI+3/1/0jRdXizVMUjta4XTJz4scdtljlnaXZ/7IEf4QN6K92tNwSjB7YCf mMLamdD1OTnofLvqKVj2bEcWrC2qkrnz91aMHo1P6PkKEGq9MLWsetF6WOGPKhx0 GHrzbJJUy8zoo1XgR/mhbn9iqYSWozfGlN/ux82Zmwi5v8wXYKd9VqlvvUGL/eHS 5/pPErUXDUxQDaGWs5UbY/DXJlEEadPnVVtvrpCh75MbsrCyVlfdMmx9JKSonpFO UJlyyv9/Wlwi/xPIJB2YgASSLq+uP1eix5zZq+r0nYxUN3oH/1YiGzYDJyzz1kBn vk+zkFrQtV7g0zAnC0cf0rpv75HToeJ1dkaVxw/DcXcpK9pquNOXBHQAdVZ5giTV GIyhPAYMFmP1H8jahhIevv5m8VMEj7LbtA0XvA9DDqgDeLEyzJQ00/8BtPo7Ayrr kOOgyjJ0eoJooYa8Ki72OoYlWP+2IYw9ZGBqJs6MiHYAUH+M4IfL9R/OntqMtdDj wVdNmncpB6sFmrjQLrGdL8uF/+xGTJzSFaLALTdgjyIs2ituY9s= =ZJwK -----END PGP SIGNATURE-----
